Kerberos Essentials or Core Concepts

Let us understand all the core concepts or essentials related to Kerberos in detail. We will start with architecture and then go through the setup process while understanding all the key concepts of Kerberos.

Kerberos Architecture

Click here for the reference document used to create this material…

Let us understand the Kerberos Architecture. Here is the article which will give detailed overview of Kerberos Architecture. Here is the diagram for your reference from that article.

Pre-requisites

We will be creating simulated environment to install, validate and understand all the core concepts of Kerberos.

  • If you are using Mac or Windows or Linux based desktop, you can actually create virtual machines using tools like Virtual Box and Vagrant. You need to have at least 16 GB RAM and Quad Core CPU to effectively setup and use.
    • Install Virtualbox
    • Install Vagrant
    • Setup 3 Virtual Machines using scripts in our GitHub repository
    • Update manifest.yml with these changes
---
instances: 2
provider: virtualbox
name_prefix: krb0
name_suffix: .itversity.com
ip_prefix: 192.168.100.20
storage_devices: 2
disk_size: 2G
memory: 1024
cpus: 1
box: centos/7
path: bootstrap.sh
  • Once virtual machines are created make sure /etc/hosts on all the guest virtual machines are updated with the 3 entries. Also update hosts file on the host.
192.168.100.200 krb00.itversity.com krb00
192.168.100.201 krb01.itversity.com krb01
192.168.100.202 krb02.itversity.com krb02

Key Terms and Components in KDC

Here are some of the key terms which we need to understand.

  • krb5 - Kerberos 5
  • KDC - Key Distribution Center
  • PAM - Pluggable Authentication Modules
  • Realm - A Kerberos realm is the domain over which a Kerberos authentication server has the authority to authenticate a user, host or service.
  • krb5kdc - KDC which contain both Authentication Server and Ticket Granting Server for Authorization.
  • kadmin - kadmin is used for the maintenance of Kerberos principals, password policies, and service key tables (keytabs).
  • Client - Which can authenticate using KDC

Here are the components of KDC.

  • An authentication server that performs the initial authentication and issues ticket-granting tickets for users.
  • A ticket granting server that issues service tickets that are based on the initial ticket-granting tickets.
  • A principals database of secret keys for all the users and services that it maintains.

Installation

Let us go through the steps required to setup Kerberos on both servers as well as clients.

  • We have to install krb5-server on the server machine.
  • krb5-workstation is the client software and need to be installed on both servers as well as all the designated clients.
  • pam_krb5 - The pam_krb5 package contains sample configuration files that allow services such as login and gdm to authenticate users as well as obtain initial credentials using their passwords.

On Server

sudo yum install -y krb5-server krb5-workstation pam_krb5

On Clients

sudo yum install -y krb5-workstation pam_krb5

Configuration

Go to /var/kerberos/krb5kdc/

  • Configure kdc.conf for krb5kdc
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = ITVERSITY.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
ITVERSITY.COM = {
kdc = krb00.itversity.com
admin_server = krb00.itversity.com
}

[domain_realm]
.itversity.com = ITVERSITY.COM
itversity.com = ITVERSITY.COM
  • Configure kadm5.acl
*/admin@ITVERSITY.COM *

Server will also act as client - Configuration file for client is /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = ITVERSITY.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
ITVERSITY.COM = {
kdc = krb0.itversity.com
admin_server = krb0.itversity.com
}

[domain_realm]
.itversity.com = ITVERSITY.COM
itversity.com = ITVERSITY.COM

Create Database

sudo kdb5_util create -s -r ITVERSITY.COM

Start and Enable Kerberos on Startup

sudo systemctl start krb5kdc kadmin
sudo systemctl enable krb5kdc kadmin
sudo systemctl status krb5kdc
sudo systemctl status kadmin

Overview of kadmin

Let us understand few details related to kadmin.

  • kadmin is nothing but CLI to manage principals, policies etc.
  • We can access kadmin locally using kadmin.local as root
  • Let us create a principal for user admin as admin by using kadmin.local with password.
  • If we have a principal with admin permissions to manage principals we can connect to kadmin remotely as well using kadmin -s HOST:[PORT] -p PRINCIPAL
  • We can get list of commands using ?
  • Let us review some of the important commands

Creating Principals

We can create principals using kadmin.local

  • There are 3 types of principals
    • User principals
    • Host principals
    • Service principals
  • Here is how we create User Principals
addprinc admin
  • We can also add Hosts principals using following syntax. We need to generate host principal to configure SSH on the designated server. In our case it is krb01.
  • We can connect remotely as long as we have user principal with admin permissions.

addprinc -randkey host/krb01.itversity.com
ktadd host/krb01.itversity.com

Configure SSH with KDC

We will configure SSH service with KDC in one of the clients - krb01.itversity.com

On the Kerberos client server we need to edit the SSH Client file to allow all clients by default to use Kerberos authentication. To do this, edit the file /etc/ssh/ssh_config and add lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Allow Kerberos Authentication to the Server

From the command line we can allow Kerberos authentication either using authconfig-tui or simply with the command:

sudo authconfig  --enablekrb5 --update

This will make the changes to the PAM configuration. I would also reload SSH at this stage to be certain everything is in place:

sudo systemctl reload sshd

If firewall is in place you need to open port 88 on TCP and UDP.

Validate SSH with KDC